Hello, I'm trying to configure automatic KSK (or CSK) rollover. I'm confused about how to poll securely for DS records.
Section 5.1.2.1 of the BIND 9 Administrator Reference Manual says: | [parental-agents] needs to be a trusted server, because BIND does not | validate the response. and section 8.2.26.1 says: | The DS response is not validated so it is recommended to set up a | trust relationship with the parental agent. For example, use TSIG to | authenticate the parental agent, or point to a validating resolver. I don't think the registry wants to exchange TSIG keys with every domain holder. A validating resolver seems much more achievable. My master server is also the validating resolver of its host. Can I set parental-agents to localhost to make BIND ask itself to validate the DS response? Or would it still do the lookup in the same non-validating way? Or would it enter infinite recursion? Must the validating resolver be a different name server from the master server that performs the key rollover? Björn Persson
pgplF3UIHjjXW.pgp
Description: OpenPGP digital signatur
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users